Re: compromised network

From: Lard van den Berg (lard_at_vandenberg.com)
Date: 12/30/03

  • Next message: jamesworld_at_intelligencia.com: "Re: compromised network"
    To: "Dana Rawson" <absolutezero273c@nzoomail.com>, <security-basics@securityfocus.com>
    Date: Mon, 29 Dec 2003 23:31:43 -0000
    
    

    Dana,
    I would externally disconnect your network (of course if this is possible -
    not always in age of e-commerce etc.) and build up your network from
    scratch. Depending on how many servres you have got it is a rather daunting
    task to find out what is infected and what isn't. Re-install OS systems and
    look at backups of logsfiles of the compromised ones to see if there any
    foodprints. You might want to leave a disinfected server inplace
    (disconnected though) for any legal steps you want to take. Installing an
    IDS system would be suggested in future.

    Regards,
    Lard van den Berg

    ----- Original Message -----
    From: "Dana Rawson" <absolutezero273c@nzoomail.com>
    To: <security-basics@securityfocus.com>
    Sent: Friday, December 26, 2003 7:21 PM
    Subject: compromised network

    >
    >
    > Not sure where to start except by saying that my servers and router were
    compromised. Have locked down both servers and routers (at least I have
    attempted to do so) but what is the best way to verify that there is nothing
    rogue left active on the servers? Also, is there any legal action I should
    take (i.e. Do I alert any authorities)? It appears that my network was
    targeted by a server in california and individuals from Australia,
    Netherlands and the US were connecting using it as an ftp server. Was
    actually named "Revenge Server".
    >
    > I just installed Ethereal and am currently capturing packets but am not
    really sure how to read this or if there is any easier way to monitor all
    things. ...And to actually know how to read it.
    >
    > Will I be able to retrieve ip addresses from packets to match activity on
    my syslog and identify rogue traffic?
    >
    > This is all new to me so I apologize if my questions don't make sense or
    my approach is illogical.
    >
    > --------------------------------------------------------------------------
    -
    > --------------------------------------------------------------------------

    --
    >
    >
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: jamesworld_at_intelligencia.com: "Re: compromised network"

    Relevant Pages

    • Re: Fully parallel Scheme-based language w/ evaluator
      ... Windows Server 2003 and networks in simple - and irreverent - terms. ... If networking really is a big deal, ... Concepts and Terminology in Part I, and The Design and Deployment of Network ...
      (comp.lang.misc)
    • Re: Outgoing POP3 email missing/lost/not received
      ... Funny thing is that I have had this ISP for 8 years and it has always been ... It looks like when you last ran CEICW, you set the ISP's mail server to: ... Internet Connection Wizard. ... After the wizard completes, the following network connection ...
      (microsoft.public.windows.server.sbs)
    • Re: Logon Server Unavailable
      ... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ...
      (microsoft.public.windows.server.general)
    • Re: Logon Server Unavailable
      ... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ...
      (microsoft.public.windows.server.dns)
    • Re: Logon Server Unavailable
      ... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ...
      (microsoft.public.windows.server.networking)